How to apply a command on a schedule basis.

Unanswered Question
Jun 15th, 2009
User Badges:

I want to apply rate-limit or service-policy to an interface at 00.00 and to revert back at 07.00 everyday.

What are possible solutions?

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Edison Ortiz Mon, 06/15/2009 - 06:55
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Tim,


Depending upon the IOS you are using, you can implement Cisco IOS EEM as a solution:


http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html


With that said, I don't recommend making changes in the config on routers as a routine. You can run into issues during a config change that can cause a router to reload.


Depending on the requirements, you can also look into Time-Based ACLs.


http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#timebasedtimerange


HTH,


__


Edison.


SludnevTN_2 Mon, 06/15/2009 - 10:49
User Badges:

Yes!!! Thank you. Time based ACL. Here is the result:

time-range NIGHT

periodic daily 00:00 to 06:59

!

access-list 150 remark This is to rate-limit almost everybody during NIGHT

access-list 150 deny ip host 192.168.11.212 any

access-list 150 deny ip any host 192.168.11.212

access-list 150 deny ip host 192.168.11.210 any

access-list 150 deny ip any host 192.168.11.210

access-list 150 deny ip 192.168.99.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.99.0 0.0.0.255

access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 150 deny ip 192.168.11.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 150 deny ip 192.168.16.0 0.0.0.255 192.168.12.0 0.0.0.255

access-list 150 deny ip 192.168.12.0 0.0.0.255 192.168.16.0 0.0.0.255

access-list 150 deny ip host 192.168.11.203 any

access-list 150 deny ip any host 192.168.11.203

access-list 150 deny ip host 192.168.11.42 any

access-list 150 deny ip any host 192.168.11.42

access-list 150 permit ip any any time-range NIGHT

!

interface Vlan3

description INSIDE

ip address 172.16.11.2 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

rate-limit input access-group 150 128000 24000 24000 conform-action transmit exceed-action drop

rate-limit output access-group 150 128000 24000 24000 conform-action transmit exceed-action drop

Anyway I still can not understand 24000 24000 - these numbers. I know the recommendation - (128k*1.5)/8 but it does not work. Why?

Thank you anyway.

Edison Ortiz Mon, 06/15/2009 - 10:54
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Those numbers are the committed burst and exceeded burst values reflected in bytes.


What do you mean it does not work?


__


Edison.


Please rate helpful posts

SludnevTN_2 Mon, 06/15/2009 - 11:21
User Badges:

I mean this - For example:

I want to rate-limit everybody to 128 Kbit/s. When I am checking interface traffic load with rate-limit applied - I see that is really "rate-limited", but not to 128 Kbit/s - it is limited to 196-384 Kbit/s - Why?. I am monitoring with IPSwitchGold and Advent Net Netflow. Can you please explain what this "burst rates" mean in real life? Is there any way to rate limit to REALLY xx Kbit/s?

Thank you.

Edison Ortiz Mon, 06/15/2009 - 11:51
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

What's the model of the device in question and IOS version?


BTW, I want to correct my previous reply.


Those numbers reflect 'burst normal' and 'burst max' (you will learn to love QoS and how similar the command variables are, NOT :)).


http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_q1.html#wp1015612


SludnevTN_2 Mon, 06/15/2009 - 12:02
User Badges:

Right now - C3845. But I saw the same issue on every device (C1[7,8]xx-C2[6,8,9]XX-C3[7,8]XX) worked with. I will try to read documentation again.

Edison Ortiz Mon, 06/15/2009 - 12:12
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Apply the rate-limit on the physical port instead of the logical interface.


Software rate-limiters will try to average the limit down to the specified value but hard to obtain on the multitude of traffic flows and patterns.


You can also look into using the police command with MQC instead of the legacy rate-limit command.


HTH,


__


Edison.

SludnevTN_2 Tue, 06/16/2009 - 10:00
User Badges:

Thank you Edison.

I will use MQC a bit later. But first I want to understand why I do not have a result with CAR.

(I want to rate-limit to 64 Kbit/s but I see that traffic load is "floating" from 100 Kbit/s to 300 Kbit/s). Why.

Here are my questions:

1. If I will place rate limit to physical NAT outside interface - will it work? I am not sure that that acl #150 will work - it classifies nat inside hosts and "tunneled" networks from other regions. What do you think?

2. You advice me to avoid applying rate-limit to logical interfaces - is it from your experience or it is recommended by documentation? I know that if I am applying rate-limit to Dialer interface - it is not working. Till this moment I thought that it is not working because of incorrect burst-rates. It will never work there? I should replace it to physical interface.

2. I am very sorry, but I still can not understand rate-limit burst numbers? What are they? How can I find out (calculate or monitor and then apply) them? Please show me the logic.

P.S. I have a rate-limit on another VLAN interface:

interface Vlan4

description Wi-Fi For Guests

ip address 192.168.254.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input access-group 140 128000 24000 24000 conform-action transmit exceed-action drop

rate-limit output access-group 140 128000 24000 24000 conform-action transmit exceed-action drop

And it is working as I want: traffic does not exceed 128 Kbit/s.

Why this is not working:

interface Vlan3

description INSIDE; PIX.KM4.RU

ip address 172.16.11.2 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input access-group 150 64000 12000 12000 conform-action transmit exceed-action drop

rate-limit output access-group 150 64000 12000 12000 conform-action transmit exceed-action drop

Thank you.



Edison Ortiz Tue, 06/16/2009 - 10:12
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

rate-limit is a legacy command but it should still work per your configuration.


After taking a closer look, you may want to verify the ACL 150 encompasses all traffic traversing that interface.


You can determine this by applying a rate-limit to all traffic (not just traffic within the 150 ACL) and see if the throughput is policed to 64kbps. If it's policed to 64kbps, then you need to troubleshoot your ACL.


As for the burst calculation, the recommended formula was illustrated in the link I posted previously for the rate-limit command.


__


Edison.

Actions

This Discussion